Recent searches

No recent searches

Search options

Only available when logged in.
infosec.exchange is one of the many independent Mastodon servers you can use to participate in the fediverse.
A Mastodon instance for info/cyber security-minded people.

Administered by:

Server stats:

13K
active users

infosec.exchange: AboutProfiles directoryPrivacy policyTerms of service

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.5.0-alpha.2+glitch

npm was a mistake. the concept of pulling live dependencies that are not collectively managed by a QA team but each individually managed by many thousands of people with wildly varying skill and availability is inherently doomed to constant incidents.

··Ivory for iOS
292boosts·0quotes·544favorites

@0xabad1dea compounded by the way npm (client) does version management—not using the lockfile by default. It wasn’t until version 5 that it would generate and follow a lockfile. It seemed perfectly designed to create these security and stability problems.

@0xabad1dea and the prodigious use of npx makes things even worse! It might use or download random version of the package, possibly the latest, never the version in your package or lockfile. I find npx in package commands and frequently in CI commands and scripts. So these pipelines are particularly vulnerable.

@0xabad1dea I struggle with this take because I very much succeeded at contributing to foss in the js ecosystem due to the low barrier to entry for contributors and maintainers, but a low barrier to entry is not my top priority when choosing dependencies for serious projects. Rejecting npm very much feels like pulling up the ladder after myself, but I do also want a higher standard of quality for my users.

@dougwade @0xabad1dea PyPi, Pub, etc have similar issues, but it is also at the core of what makes them useful (to me, at least, as a user, maintainer and contributor). If you are designing a production system (especially public facing), you should always freeze your package versions and review version updates. If you're dealing with critical or protected data then you are probably legally required to have an external audit.

It would be excellent to have some expert reviews of package updates and new submissions but it would be nice to not have it go the way of R/cran.

It's a trade-off...I will say that it is probably a much bigger problem now, as the sheer volume of packages combined with AI/vibe coding means this is going to cause plenty more incidents and increasing numbers of malicious packages.

@zeyus @0xabad1dea I think you very much understand my conflict. My needs as a user, a contributor, and a maintainer are all very different, and when you are designing a registry, you have to choose to privilege one of those roles over the others when making design decisions. It’s easy to say npm got it wrong; it’s harder to admit that there isn’t a single definitive right answer.

@dougwade @zeyus I think there is a most right answer but it involves a lot of funding and I don’t have the funding

@0xabad1dea @dougwade @zeyus

i diagnose the root problem as corporate open source, where there's a fuckin shitload of money except for maintenance or for the coders doing the work.

npm is a terminal expression of corporate desire for code without paying coders. so anyone can contribute! preferably under a permissive license.

the job is to supply free code for companies and npm is the minimum structure to do this job.

that it ends up full of exploding surprises is the sort of thing we should expect, point and laugh.

i don't think it's fixable because that's not what npm is for.

in conclusion, AGPL everything. or, as I think of it, the "I believe I just did, Bob" license.

*

@davidgerard @0xabad1dea @dougwade @zeyus

in conclusion, AGPL everything. or, as I think of it, the "I believe I just did, Bob" license.

I never understand how people reach this conclusion. AGPL is a complex legal document. The only people who can use things licensed under it are people who think no one will sue them and people with large legal teams.

We have decades of experience showing that adding more complex licenses just makes corporations do their own in-house thing instead of contributing, and then they release it as a permissively licensed version and suck the oxygen out of the copyleft version's ecosystem.

The most successful users of the AGPL are companies who use it as a moat, preventing competitors from deploying something in the same space.

@david_chisnall

Your observations are matching my experience of enterprise work. AGPL is treated as "Danger, do not touch".

For example the jasperreports library is very dependent on iText and newer version of iText, since 2009, are AGPL licensed. This create interesting maintenance hell and even thoughts of fixing this are forbidden.

@muhanga

The other variation I've seen of this is:

Use [A]GPL'd project, but not for anything shipped to customers. Don't ever upstream fixes, because admitting that it's used internally would expose you to potential liability.

For hosted things, it's easy to write a plugin for an AGPL'd thing that calls some RPC system that is proprietary. It doesn't prevent the things that AGPL was explicitly written to prevent, but it does mean that a load of people who want to play by the rules regard it as too high risk.

When I worked on GNUstep, we reported to the FSF that a company was in violation of the license (GPLv3 at the time, they'd just moved from GPLv2). They were taking GNUstep code and using it in a proprietary system without acknowledging it. They had a load of internal bug fixes and new features.

The FSF did nothing, because taking them to court was really expensive, failed GPL enforcement makes them look bad, and they didn't value GNUstep enough to invest the money to do it well. Meanwhile, I released the GNUstep Objective-C runtime with the MIT license. Companies had no problem admitting that they used it (for a while, it was on more Android devices than there were iOS devices in existence, so I could claim to be maintaining the most widely deployed Objective-C implementation). We got a load of contributions from big and small companies (Microsoft did a load of bug fixes, when they used it in their WinObjC project that was briefly there as a path to porting iOS apps to Windows).

@david_chisnall @davidgerard @0xabad1dea @dougwade @zeyus even as someone developing fully open source software, the AGPL (& GPL) is a pain in the ass to comply with, so I avoid it entirely.

the AGPL adds significant barries even to someone else who wants to use it for something open source.

@david_chisnall @davidgerard @0xabad1dea @dougwade @zeyus in all my years, do you want to know how companies actually treat GPL/AGPL licensed stuff?

They really, truly do not give a shit because they know. They know they can't and won't be sued no matter the size. Lip service and two middle fingers.

"Oh, no, don't look at the license it doesn't matter it's fine. Fork and fix it. But if you give them labor *we* paid for, you're fired. On the spot."

@rootwyrm @davidgerard @0xabad1dea @dougwade @zeyus

That's the companies that don't care. The ones that do care, simply avoid the projects entirely because the legal risks are too high. It's a system that actively penalises the good actors and rewards the bad actors.

@david_chisnall @rootwyrm @davidgerard @0xabad1dea @dougwade @zeyus Okay, here's my suggestion. I've seen this pattern thrice and I think it's worth poking at the root. Let's consider a piecewise license that trades corporate freedom for a healthy commons.

For users making at least (say) $50k USD/yr globally, the license costs 0.01% of global revenue (so that $5/yr is the starting point) *and* users must remit *all* of their code to the public commons. For users not making that much money, the terms are roughly like GPLv3, including access to the commons. We can add teeth to this by requiring the former users to indemnify their employees against fulfilling the terms of the license given that their employer documented the internal usage of the licensed system; IOW if a business chooses to use code under the license then they automatically sign themselves up for the annual fee and code donation.

This yields a system that actively penalizes the *corporate* actors and rewards *individual humans*. FSF and OSI wouldn't approve, but who cares? Businesses? This also could possibly yield a system where *no businesses participate*, which would be a superb outcome.

@corbin @rootwyrm @davidgerard @0xabad1dea @dougwade @zeyus

For users making at least (say) $50k USD/yr globally, the license costs 0.01% of global revenue

What does that mean? If I earn a salary of $60k, I must pay $6/year to every program I use? Or every library used by every program I use? If a library is used by two programs, do I pay that library author $12 or $6? Or do I count only my post-tax income? If a program has 1,000 library dependencies do I actually have to pay 1/10th of my entire salary to use it?

If I am a trillion-dollar business with annual profits of but set up a wholly owned subsidiary as a non-profit in the Cayman Islands and have that non-profit resell the software to me for all internal use, do I get to use it for free?

This is the kind of thing I mean. You cannot write a license that a sufficiently well-funded lawyer cannot find loopholes in and that does not have awkward cases for non-malicious users. And every attempt introduces complexity for the non-malicious users while further empowering people for whom a team of full-time lawyers playing hunt-the-loophole is just the cost of doing business.

@rootwyrm @david_chisnall @davidgerard @0xabad1dea @dougwade @zeyus yeah, and the gew cases of litigation in terms of enforcement backfired hard as well...

That being said in #Germany said #GPL licenses get enforced by courts - as #Fritz! (nee #AVM) found out the hard way.

@rootwyrm

@0xabad1dea @dougwade @zeyus @davidgerard @david_chisnall

Every company I've ever worked for has a firm policy of no GPL3 at all, GPL2 is allowed for things like the linux kernel or bash that we are not modifying anyway, LGPL2 is allowed but we really want you to look for an alternative first.

@bluGill @0xabad1dea @dougwade @zeyus @david_chisnall @rootwyrm Every company I've worked for doesn't, so we're 1:1 on anecdotes.

(e.g. the rule at BMJ was "can I send in this fix?" and the response was "sure". In fact, unlike you I've named a company, so we're 2:1 on anecdotes.)

*

@davidgerard

@0xabad1dea @dougwade @zeyus @david_chisnall @rootwyrm

My company currently doesn't want me to name them. Sometimes we get a bad rap for not contributing because our contributions are done under the personal name of the person who did it not a company name.

I'm not sure about previous companies so I'm not going to name them.

@david_chisnall @davidgerard @0xabad1dea @dougwade @zeyus there's no better alternative, so use it or engage on groups for better alternative. just throwing hands up and using mit/bsd is not a fix, as much as using plain text is not a fix for a complex encryption library just because it have some caveats.

@gcb @davidgerard @zeyus @0xabad1dea @dougwade

just throwing hands up and using mit/bsd is not a fix

Not a fix for what? After two or so decades of using MIT / BSD licenses and having good interactions with contributors ranging from the world's largest company down to students, and having released several things that have been deployed on over a hundred million devices, I am not seeing problems that need a 'fix'.

I release things under permissive licenses, and other people increase the amount of Free Software in the world.

@david_chisnall @davidgerard @zeyus @0xabad1dea @dougwade good for you, but not everyone's goal is to be an indirect consultant for hire.

@gcb @davidgerard @zeyus @0xabad1dea @dougwade

I'm not sure what that's supposed to mean.

If your goal is to increase the amount of Free Software in the world, restrictive licenses have been shown, repeatedly, to not help, and often actively hinder.

If your goal is to write software that no one apart from uses, just don't publish it, problem solved.

If your goal is to get software that you can use, with less effort than writing it all yourself, by having other people contribute, then permissive licenses help more than restrictive ones.

If your goal is to make people use Free Software systems, the biggest thing that you can do to help is make Free Software systems actively desirable by users. That means making exercising the FSF's Four Freedoms things that users are empowered to do and actively benefit from doing. That means focusing on building end-user programmable environments. That means making it trivial to modify software and distribute the improvements for people with little or no programming background. Complex licenses actively harm this effort because they mean that you have to be a lawyer to understand what you can and cannot do with the result.

If you believe that social problems are best solved with complex legal structures, by all means keep using [A]GPL and similar licenses.

@david_chisnall @gcb @zeyus @0xabad1dea @dougwade

> complex legal structures,

you keep hammering on this, is your core argument *really* "the license is long"? I posit that if it is complex, that's because it's written for a complex world.

> If you believe that social problems are best solved with complex legal structures

That looks very like a short description of a functioning society with rule of law, where the laws match its complexity. There are people who advocate just throwing all of that out, and the kindest thing I can say is that they're being extremely simplistic.

*

@davidgerard @gcb @zeyus @0xabad1dea @dougwade

you keep hammering on this, is your core argument really "the license is long"? I posit that if it is complex, that's because it's written for a complex world.

The license is long and complex. Licenses (and laws) work well when they are simply documenting things that everyone involved believes is the right thing. We don't need to worry about the exact wording in the laws against murder, because we both agree that killing people is a bad idea.

The problem with GPL-style things is that they try to define rules that prevent people from doing things that they are otherwise incentivised to do.

When you create a license that prevents people from doing things that they want to do, you don't prevent them from doing the thing, you make them pay lawyers to find loopholes.

The core idea of the GPL is that you should publish your changes and let other people use them. But if you don't want to? You use one of the following work-arounds:

  • The NVIDIA strategy of releasing some GPL-compatible code as a shim layer that loads a binary blob.
  • The Tivo strategy, of requiring signed code.
  • The Google strategy of keeping your changes private and simply not distributing them.
  • The Oracle strategy of using patents to prevent anyone using the GPL'd code without a license.

Or you use the approach from less reputable companies, of just ignoring the license and daring individuals to spend vast amounts of money taking them to court.

So now you get GPLv3 which closes the Tivo loophole and the Oracle loophole. You get AGPL which closes the Google loophole.

But the NVIDIA one is still there. I can run Mastodon (AGPLv3) and write a plugin that talks to some back-end service for translation, indexing, or whatever, and all I have to publish is the code that handles the API calls, not the implementation.

Meanwhile, people who actually do want to play with the rules get nervous because anything that they accidentally link into a GPL'd binary might incur liability. If they distribute GPLv3 code that infringes one of their patents, it's now gone from their defensive portfolio and that makes the more vulnerable to patent trolls.

That looks very like a short description of a functioning society with rule of law, where the laws match its complexity. There are people who advocate just throwing all of that out, and the kindest thing I can say is that they're being extremely simplistic.

Laws almost never change behaviour. Laws work when they are written as a consensus view of acceptable behaviour. When they disagree with people's expectations, you see widespread civil disobedience. You need to change the consensus view before you pass the laws. Laws are necessary to handle the outliers.

I don't refrain from murdering people who annoy me because it's illegal, I do so because I think murder is a bad idea and because I want to live in a society where murdering people is not something that happens. Most of the population agrees with that view. A few people disagree, and we have police, courts, and laws to handle them.

When you stray from that consensus, laws become harder to enforce. We're seeing that now with the protests, we saw it in a much larger scale with Napster.

If you want a particular behaviour to be more or less common, you need to start with social pressures. You can then write laws or licenses that codify that. But if you have a large set of incentives for a particular behaviour and a weakly enforced license trying to discourage it, the only people that it affects are the ones that are honest and don't have a large legal budget.

@david_chisnall @gcb @zeyus @0xabad1dea @dougwade ok. before I continue, do you self-label as libertarian or some equivalent?

@davidgerard @gcb @zeyus @0xabad1dea @dougwade

No, though I did way back when I thought the GPL was a good idea. Both the GPL and Libertarianism are systems that seem superficially sensible, as long as you completely ignore the history of how they have worked in practice.

@davidgerard@circumstances.run [circumstances.run] @david_chisnall@infosec.exchange [infosec.exchange] I honestly don't get the debate here. Users, hobbyists, people who are learning to code, etc etc don't usually have to worry too much about software licenses. As soon as someone wants to make money with the software, they do--but that's how business works. The fact that the license is long or complex is irrelevant. That's what compliance officers and attorneys are for. My experience has been that upon encountering a new software license, a compliance officer will read it over and then boil it down into a short bullet list of things you have to do to safely use it in your business. This task could be done by third parties for smaller companies who cannot afford to hire their own, could be done pro bono, or could be crowdsourced. Generally once it's done, it's done; you don't have to re-interpret the license every time you encounter it. In short there are many ways to handle long and/or complex licenses that are not onerous.

This is how most regulatory frameworks work. They, in general, are good for society, unless you're a libertarian or some variant thereof I guess. Eschewing any kind of regulation, even informal systems, in the hope that corporations will firehose the world with "free" software is a strange take that I don't think can be defended.

It's also strange to demand that one can pick up a piece of software--something many people may have toiled over for many years--and start using it for whatever purposes one wants without any restrictions. That is an anti-social stance, in my view.

Personally I think the conflation of "free software"--which represents a political agenda--with Tim O'Reilly style [thebaffler.com] "open source software" --which represents a corporate agenda--was a mistake. I think it muddies almost every discussion about software.

@gcb@pleroma.envs.net @zeyus@corteximplant.com [corteximplant.com] @0xabad1dea@infosec.exchange [infosec.exchange] @dougwade@mastodon.xyz [mastodon.xyz]
The Baffler · The Meme HustlerWhile the brightest minds of Silicon Valley are “disrupting” whatever industry is too crippled to fend off their advances, something odd is happening to our language. Old, trusted words no longer mean…

@abucci @davidgerard @gcb @zeyus @0xabad1dea @dougwade

Users, hobbyists, people who are learning to code, etc etc don't usually have to worry too much about software licenses

Usually, being the operative word. I compile a GPL'd program for a friend and give them a copy of the binary? Ooops, I've violated the license. Now, I'm probably fine, because I doubt anyone would take me to court over this. But I've also read one legal opinion recently that argued that the fact that GPL'd projects permit this kind of casual license violation means that they can't claim any actual damages (and may not qualify for statutory damages) when a company violates the license in the same way.

That particular clause in GPLv2 caused a hobbyist Linux distro to shut down around 10 years ago. They built binary packages from a load of GPLv2 things. GPLv2 says that you must ship either the source code (they didn't want to force users to download source code that they didn't need) or a written offer good for three years to provide the source code on demand. They couldn't afford the storage cost of all of the source code for three years. GPLv3 allowed you to just pass on such an offer if you had received one, but a lot of distros carry a few patches, which eliminates this option. For big corporate-funded distros, this is fine, for community-developed ones it's more of a burden.

And that's the problem with complex legal documents. You are probably fine, but you need to understand the nuances of when you aren't.

The many, many hours of my life that I've been forced to spend discussing the GPL and its derivatives with lawyers tell me that this is not easy.

@david_chisnall @davidgerard @zeyus @0xabad1dea @dougwade your points focus on short term imo, and it also seems your focus is interacting commercially with enterprises. I've worked on the early dotcom, FreeBSD everywhere, everything proprietary, unless a coalition wanted to push a protocol. osx is not even worth talking about. android+ios only manages to be the #1 and #2 eWaste generators because of tainted kernel with closed drivers.

gpl is as complex as it needs to be. and most of the claimed complexity is well known to be fud campaign. and enforcement sadly as you've experienced is lax, but at least that's a fixable problem different than hopping corpotations be good samaritans out of nowhere.

@gcb @zeyus @0xabad1dea @david_chisnall @dougwade "too haaard" is a fundamentally silly-sounding objection. yes, that's because the law is complex.

The start of this thread is a permissively-licenced project full of permissively-licenced code being a security disaster because it turns out the corporations just don't contribute back (code, effort, maintainers, reviewers) if they don't have to. It's not a good ad for permissive licensing!

*

@gcb @davidgerard @0xabad1dea @david_chisnall @dougwade

good for you, but not everyone's goal is to be an indirect consultant for hire.

It seems like there isn't anything that could change your mind, and I guess that comment wasn't targeting me, but, personally as a researcher and ex-industry software engineer, I wouldn't have been able to do so many things had it not been for more permissive licenses.

I'm not a consultant and never plan to be, nor have I made money from the contributions, tools etc I have worked on.

I'm just as happy to submit a patch for a small open source pdf reader as I am to an open sourced tool (that I find useful) that is developed by Google or Microsoft. If someone else can get use out of it then that is a net benefit.

I can tell you, there would have been no incentive for me to develop tools under complex licenses, even less so to make them publicly available.

@zeyus not sure what's your point, but that's great to hear. bsd/mit license purpose should be exactly that, a corporation open source something they no longer have a strategic reason to keep closed.

@gcb but I am not a corporation, and I'm happy for people to use what I make without drama, and I'm glad other individuals / small teams have allowed the same...the corporations were only one end of the spectrum that I mentioned

@zeyus people would have used what you contributed without drama on either license. i don't see the point. you seem to have internalized some propaganda that is making this conversation confusing.

even if Microsoft release something as bsd, community fork as gpl and improve, Microsoft adopts the gpl back with improvements... everything continue as normal. your history would have been the same.

corporations only open source something when 1. they will not develop closed features as its not strategic anymore, 2. they have a tactical advantage by opensourcing something that is a core competency of competition. (not entering the cases where corporations adopt open source)

@gcb @zeyus @0xabad1dea @david_chisnall @dougwade you're arguing with a FreeBSD committer on permissive licenses, don't expect a changed mind

@davidgerard @gcb @zeyus @0xabad1dea @dougwade

I'm also the maintainer of a GNU project. And a former GPL advocate. My mind has already been changed once in this area. My current opinions have been reinforced by hard-earned experience.

@0xabad1dea @dougwade @zeyus the entire discussion reminds me of the business case that Linux distributions fill:

Buy enterprise Linux from a distributor and you have one person to go to for package selection, security updates etc

I would anticipate similar enterprises to build up between those shipping products based on OSS and OSS projects. One trigger will be CRA.

As a result distributors will be well advised to invest, either by providing helping hands, funding or hiring maintainers.

@mainec @0xabad1dea @dougwade @zeyus do we see this happening yet? if not, why not? 'cos mostly we see the effects of this not happening

@dougwade @0xabad1dea
I would blame more on people working in critical sectors who blindly use npm for whatever reason without assessing the security risks that comes naturally when a lot of amateurs are involved. Indeed, anyone familiar with supply chain security should not be unaware of it, and I suspect improper uses of npm despite that may have something to do with ill-doctrines from higher executives that emphasizes profit. See a recent comment on Microsoft's attitude theregister.com/2025/08/08/exw

The Register · Ex-White House cyber, counter-terrorism guru: Microsoft considers security an annoyance, not a necessityBy Jessica Lyons
*

@dougwade @0xabad1dea
No offence but your words sound naive to me. Trusting that all people do the right thing.

Lets be clear: low barrier to entry means inviting professional criminals into your ecosystem with open arms. Take the locks off your house and car, that make it easy to gain entry. How about if we stop requiring ID when someone wants to withdraw cash from your bank account?

Meanwhile in the real world, good systems must control and nullify the evil impulses of the worst among us.

@TrimTab @0xabad1dea if your only goal is to produce secure systems, I can understand why you find my take naive. I would like to suggest to you that in the early days of npm, producing secure systems was not the only priority we were considering.

@dougwade @0xabad1dea
Fair enough, good point. Then i will categorize npm with countless other optimistic internet technologies that either died in spammy criminal infested obscurity, or evolved into robust, hardened and battle tested versions of themselves.

Remains to be seen which way nom will go.

@0xabad1dea I wonder why maven is not constantly detonating into our faces like that, where lies the difference? Ok , the repository is centralized, but writing still happens by the authors themselves

@DJGummikuh @0xabad1dea It could be attributed to a different attack surface and a different modus operandi when adopting and publishing dependencies. In npm you may find small packages which focus on one small thing, whereas (at least in the early history of Maven) users would usually grab batteries-included frameworks with a shorter dependency tree depth.

But also, Maven often gives the opposite problem, that of stagnation: the few dependencies that you might have in a project are much harder to update than in npm.

@DJGummikuh @0xabad1dea Publishing to Maven Central is more complicated. (Most of it is completely unnecessary, but that's beside the point.)

It appears that these additional hoops are highly effective in filtering out the bottom rung of developers, i. e. those who cannot read documentation and follow instructions.

@soc @DJGummikuh @0xabad1dea don't get me started on the recent change which broke publishing for gradle and forced you to use a custom 3rd party plugin (I developed my own plugin because the existing ones all sucked)

@solonovamax @DJGummikuh @0xabad1dea Every time they change shit for totally obnoxiously unnecessary reasons I could scream, but then I remember that this keeps the ecosystem safe and high-quality, apparently. 😅

*

@DJGummikuh @0xabad1dea Maven Central has some verification steps for "ownership" of the groupId before they allow you to publish (central.sonatype.org/publish/r). As far as I can tell, NPM only requires that you create an account.

As an aside, Maven Central is not the only repository out there, just the one used "by default".

The Central Repository DocumentationChoosing your Coordinates

@mrotteveel @DJGummikuh @0xabad1dea Signing etc. might not be harder once you get the idea what you are doing, but like a rather simple lock on a bike: Enough prevention to prevent drive by thefts. The process to publish seems to hit a sweet spot of being easy and hard enough IMHO

(Jfc, how hard can it be at time to express what you mean, 3rd edit is a charmer)

*

@0xabad1dea well, isn’t that mostly on the consumer? Would you feel the same way if only hobbyists used it for small weekend projects?

@VioletBackpack “would you feel the same way if the circumstances were utterly different with regard to why you came to this conclusion”? no? but I don’t see how that’s relevant

TrendingLive feeds
About
Oops!An unexpected error occurred.